嗨,我正在使用此模板的后缀:
PUT /_template/postfix
{
"template": "postfix*",
"settings":{
"index":{
"analysis":{
"analyzer":{
"email":{
"tokenizer":"keyword",
"filter":"lowercase"
}
}
}
}
},
"mappings": {
"logs": {
"properties": {
"@timestamp": {
"type": "date",
"format": "strict_date_optional_time||epoch_millis"
},
"@version": {
"type": "string"
},
"clienthostname": {
"type": "string"
},
"clientip": {
"type": "ip"
},
"delay": {
"type": "double"
},
"deferred": {
"type": "boolean"
},
"delays": {
"type": "string"
},
"dsn": {
"type": "string"
},
"entry_date": {
"type": "string"
},
"lastqueueid": {
"type": "string"
},
"logsource": {
"type": "string"
},
"mailfrom": {
"type": "string",
"index": "not_analyzed"
},
"mailsize": {
"type": "long"
},
"numberofrecipients": {
"type": "long"
},
"pid": {
"type": "long"
},
"postfixdaemon": {
"type": "string"
},
"program": {
"type": "string"
},
"queueid": {
"type": "string"
},
"recipients": {
"type" : "nested",
"properties": {
"rcptto": {"type": "string", "analyzer":"email" }
}
},
"relay": {
"type": "string"
},
"relayip": {
"type": "string"
},
"removal_time": {
"type": "string"
},
"removed": {
"type": "string"
},
"status": {
"type": "string"
},
"tags": {
"type": "string"
},
"timestamp": {
"type": "string"
},
"total_delay": {
"type": "long"
}
}
}
}
}
我的收件人字段是嵌套的,并且我正在使用分析仪来完成工作(保留完整的邮件地址并转换为小写字母)。当我以此请求测试分析仪时,它做得很好:
GET /_analyze
{
"tokenizer":"uax_url_email",
"filters":["lowercase"],
"text":["test","[email protected]"]
}
它返回:
{
"tokens": [
{
"token": "test",
"start_offset": 0,
"end_offset": 4,
"type": "<ALPHANUM>",
"position": 0
},
{
"token": "[email protected]",
"start_offset": 5,
"end_offset": 27,
"type": "<EMAIL>",
"position": 1
}
]
}
但是,当我为我的数据编制索引时,收件人的.rcpto字段不会转换为小写,并且当我对收件人的.rcptto执行搜索请求时,它不起作用。
看来我的rcptto部分没有正确索引。
索引数据:
POST /postfix/logs
{
"status" : "sent",
"queueid" : "3nTgBP6Mrpz18dwD",
"postfixdaemon" : "smtpd",
"recipients" : [
{
"rcptto" : "[email protected]"
},
{
"rcptto" : "[email protected]"
}
],
"mailfrom" : "[email protected]",
"clientip" : "127.0.0.1",
"clienthostname" : "server.fr",
"pid" : 7996,
"delays" : "0.06/0/0/0.28",
"logsource" : "smtp2",
"total_delay" : 1,
"mailsize" : 23792,
"delay" : 0.34,
"program" : "postfix",
"entry_date" : "Jan 5 00:45:33",
"timestamp" : "Jan 5 00:45:33",
"removed" : "True",
"@version" : "1",
"@timestamp" : "2016-01-04T23:45:33.000Z"
}
基于“状态”字段的请求:
GET /postfix*/_search
{
"fields":"recipients.rcptto",
"query": {
"term": {
"status": "sent"
}
}
}
返回:
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 1,
"max_score": 0.30685282,
"hits": [
{
"_index": "postfix",
"_type": "logs",
"_id": "AVP00rA5U5V4nhi9E0IJ",
"_score": 0.30685282,
"fields": {
"recipients.rcptto": [
"[email protected]",
"[email protected]"
]
}
}
]
}
}
基于“recipients.rcptto”字段的请求(已通过Richa回复更新):
{
"query": {
"nested": {
"path": "recipients",
"query": {
"match": {
"recipients.rcptto": "[email protected]"
}
}
}
}
}
返回:
{
"took": 6,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 1,
"max_score": 1.4054651,
"hits": [
{
"_index": "postfix",
"_type": "logs",
"_id": "AVP1zqtwU5V4nhi9E0Ih",
"_score": 1.4054651,
"_source": {
"status": "sent",
"queueid": "3nTgBP6Mrpz18dwD",
"postfixdaemon": "smtpd",
"recipients": [
{
"rcptto": "[email protected]"
},
{
"rcptto": "[email protected]"
}
],
"mailfrom": "[email protected]",
"clientip": "127.0.0.1",
"clienthostname": "server.fr",
"pid": 7996,
"delays": "0.06/0/0/0.28",
"logsource": "smtp2",
"total_delay": 1,
"mailsize": 23792,
"delay": 0.34,
"program": "postfix",
"entry_date": "Jan 5 00:45:33",
"timestamp": "Jan 5 00:45:33",
"removed": "True",
"@version": "1",
"@timestamp": "2016-01-04T23:45:33.000Z"
}
}
]
}
}
收件人没有转换为小写字母,这正常吗?
最佳答案
由于您的字段是nested,因此需要结合使用Nested Query和Match Query。不要使用Term Query,因为它会寻找完全匹配的内容。
{
"query": {
"nested": {
"path": "recipients",
"query": {
"match": {
"recipients.rcptto": "[email protected]"
}
}
}
}
}
希望能帮助到你...